FormBook stealer: Data theft made easy

Posted on 2018-06-22 by Adam Swanda

The FormBook information stealing malware, being advertised as providing an "extensive and powerful internet monitoring experience", has clearly caught the eye of threat actors since its debut on underground forums in 2016. Due to its low price, it is easily available to a variety of actors and has therefore been distributed with varying methods of complexity and shows no signs of slowing down. The malware provides a variety of data theft capabilities such as stealing stored passwords from local applications, recording user keystrokes, browsing and interacting with files on the infected host, taking screenshots, and more. Although the information stealing functionality seems rather standard, the measures FormBook takes to avoid analysis makes this malware family difficult to detect and analyze, making the stealer all the more appealing to malicious actors looking for a new take on an old threat.

Unlike many of the more wide-spread malware families in distribution that are sold on hidden marketplaces or Tor forums, FormBook is available on popular websites such as the popular HackForums.net. Being sold on highly accessible forums for as little as $30 per week, threat actors are provided with a very low barrier to entry for launch attacks.

The following screenshot shows a section of an advertisement discovered on HackForums showcasing the low price of the malware:

Installation & Evasion

After being delivered to the victim computer, FormBook will copy itself to one of two locations depending on the privileges the malware is executing with.
When running as a normal user, the malware will be dropped to %TEMP% or %APPDATA, while elevated privileges see the binary stored in either %ProgramFiles% or %CommonProgramFiles%.

FormBook then leverages several anti-analysis techniques to ensure it is not being analyzed or executed within a virtual machine by looking for the existence of running processes common to VM's and analysis tools. The malware will check for the existence of the following running processes:

vmtoolsd.exe

vmwareuser.exe

vmwareservice.exe

vmsrvc.exe

vmusrvc.exe

vboxtray.exe

vboxservice.exe

wireshark.exe

procmon.exe

regmon.exe

filemon.exe

In addition to investigating running processes FormBook also checks the USERNAME environment variable in an attempt to detect sandbox environments and also looking for the existence of both kernel and userland debuggers.

While these types of checks are standard for malware, they are increased in complexity within FormBook due to the string encryption methods employed throughout the malware execution. All common strings one might find in a malware sample, such as the names of processes it is attempting to evade, command and control servers, or processes the malware will be injected into are all only decoded when they are needed. Also, the API calls used by the malware are performed at runtime only by making use of function name hashing.

Staging

Once all of the anti-analysis checks are passed, FormBook will inject then itself into the running explorer.exe process. This is done by iterating over all running processes and searching for the CRC32 checksum of the explorer process name. Often the injection into the explorer process will be the final resting place of malware, though for FormBook it is only used as a temporary staging ground.

FormBook will then create and inject itself into a new Windows process, chosen randomly from a list of encrypted process names. Only then will it begin its harvesting of information from an infected system.

The following list contains the possible processes the malware chooses from for this stage:

audiodg.exe

autochk.exe

autoconv.exe

autofmt.exe

chkdsk.exe

cmd.exe

cmmon32.exe

cmstp.exe

colorcpl.exe

control.exe

cscript.exe

dwm.exe

explorer.exe

help.exe

ipconfig.exe

lsass.exe

lsm.exe

msdt.exe

msg.exe

msiexec.exe

mstsc.exe

napstat.exe

nbtstat.exe

netsh.exe

netstat.exe

raserver.exe

rdpclip.exe

rundll32.exe

services.exe

spoolsv.exe

systray.exe

svchost.exe

taskhost.exe

WWAHost.exe

wininit.exe

wlanext.exe

wscript.exe

wuapp.exe

wuauclt.exe

Persistence

After injection into the newly created process, FormBook will then delete the original payload and setup itself up for persistence.
The persistence method is rather standard for malware in general, considering how in-depth the majority of the malware execution is in attempting to avoid detection and analysis. FormBook creates merely a registry entry pointing to the path of the copied payload that was created upon initial execution into one of the two locations: SOFTWARE\Microsoft\Windows\CurrentVersion\Run or SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, depending on the privilege level the malware is running with.

Information Harvesting

Running within the context of the previously created Windows process, FormBook will begin to iterate over all running processes in search of targeted applications. Once an application is detected that the malware supports, it will then inject itself into the target application and install API hooks specific to its target.

For example, web browsers will have hooks installed on functions such as HttpSendRequest and WSASend to identify requests being sent with strings such as login, username and password, among several others.

Collected data is temporarily stored in files within the %APPDATA% directory before being sent back to the C&C server.

The following redacted screenshots of the FormBook administration panel highlight the supported applications as well as the view the threat actor is given of stolen information returned from the victim:

FormBook Admin Panel

Stolen Data

In addition to its credential theft and general monitoring capabilities, actors operating the malware can push instructions to infected hosts to perform tasks such as running arbitrary system commands, downloading and executing files, and adding new user accounts to the system.

Task Execution

Summary

While the information stealing features of FormBook may seem like common functionality for malware, the real power comes in its profoundly deceptive execution tactics and obfuscated code. Also, the low price and wide availability of the malware provide the means for threat actors of all degrees to launch campaigns targeting user data. It is likely we will continue to see this malware being used in a variety of campaigns.

Detection

InQuest provides support for detecting FormBook's Command & Control traffic through the following signature:

Name: HA_FormBook_Beacon

EventID: 6000236

With the malware being distributed mainly through phishing emails, detection of the delivery mechanisms provides a means to mitigate this threat before any malicious actions can take place.

As such, InQuest provides detection for exploits used in FormBook's distribution via the following signatures: